Runtime governance, answered plainly

APERION is the runtime governance layer for enterprise AI agents in regulated industries. The product, SmartFlow, sits in the call path between an AI agent and the model it uses, enforcing policy on every prompt, response, and tool call, and producing identity-bound audit evidence. It is built for financial services, insurance, healthcare, and defense. See the Trust Fabric.

It is a four-layer architecture for governing AI agents: verified identity, access governance, runtime governance, and audit and evidence. APERION owns the runtime and audit layers and composes with your existing identity and access stack. Read the Trust Fabric overview.

The runtime plane is the call path between any agent and any model: every prompt sent, every response returned, every MCP tool call. It is where data leaves for a model and where policy has to be enforced in real time. Workflow tools decide which agent runs; the runtime plane governs what that agent sends. More in Use Cases and on the blog.

An AI control plane is the centralized layer that inventories, monitors, enforces policy on, and audits every AI system across an enterprise, including LLM calls, AI agents, MCP tool connections, and agent-to-agent messages. SmartFlow provides this with real-time enforcement rather than after-the-fact observability. See the AI control plane guide.

Workflow governance decides which agent runs and on whose authority. Runtime governance decides what that agent is allowed to send to a model and what comes back. Different buyers, different failure modes: a workflow failure runs the wrong process; a runtime failure sends regulated data to a public model. APERION composes with workflow tools rather than replacing them.

Regulated enterprises deploying AI agents in production: financial services, insurance, healthcare, and defense. The buyers are usually the CISO, the Chief Risk Officer, and the teams accountable for data exposure and regulatory evidence. See Industries.

No. Observability tells you what happened after it happened. APERION enforces policy inline, in the data path, so a blocked action never reaches the model. It also keeps the evidence record. Enforcement first, evidence second.

An enterprise AI gateway is an infrastructure layer between your applications and AI model providers that routes, governs, secures, and inspects every AI request. Unlike an API gateway, it handles prompt and response inspection, policy enforcement, semantic caching, and multi-provider routing. SmartFlow includes an AI gateway built for on-premises deployment. See the enterprise AI gateway guide.

Same pattern, different layer. An API gateway inspects REST headers and payloads. An AI gateway inspects prompts, responses, and tool calls. Different protocols, different controls. You can run both; they do not overlap. See how APERION compares to Kong AI Gateway.

An AI firewall inspects, filters, and enforces policy on every AI request and response in real time. A web application firewall protects against threats like SQL injection and cross-site scripting. An AI firewall addresses AI-specific threats: prompt injection, jailbreaks, sensitive-data exfiltration through prompts, and unsafe model output. SmartFlow runs these inline with minimal latency. See the enterprise AI firewall guide.

Prompt injection, jailbreaks, sensitive data leaving for a public model, destructive or out-of-scope tool calls, and agent actions taken without accountability. Independent research through 2026 has shown high attack rates at the agent and application layer. APERION inspects and enforces at the point those actions occur. See Use Cases.

No. APERION adds the layer your current controls do not cover. Data loss prevention, CASB, and API gateways inspect REST traffic. None inspect prompts, responses, or MCP tool calls. APERION sits at the AI boundary and binds every action to a verified identity.

Semantic caching returns a stored answer when a new prompt is close enough in meaning to a previous one, rather than only on exact text matches. It reduces repeat model calls, which lowers cost and latency. SmartFlow includes semantic caching as part of the gateway. See reducing AI spend.

Yes. SmartFlow runs on-premises, in private cloud, and in hybrid environments, so prompts, responses, and governance data never leave your network. This matters for regulated industries under HIPAA, SEC, the EU AI Act, and data-residency rules. Many competing tools are cloud-only, which routes your AI data through third-party infrastructure. See SmartFlow.

Yes. SmartFlow is built to run inside the boundary, including air-gapped and sovereign environments where no data plane can leave. This is one reason APERION fits defense and national-security deployments. See Industries.

No application rewrite and no model retrain. SmartFlow inserts inline at the AI boundary, the way a network control sits in the path of traffic. Applications and agents point at SmartFlow, which routes to the model.

SmartFlow is containerized and runs on Kubernetes 1.24 or later, on x86_64 or ARM64. Detailed requirements are in the documentation.

SmartFlow is designed to add minimal overhead on the inline path, and semantic caching can reduce latency for repeated or similar prompts by avoiding a model round trip. Benchmark detail is available in the docs and under NDA.

Yes. SmartFlow runs in production with multi-provider failover, so a single provider outage or rate-limit event does not stop traffic. High-availability deployment patterns are covered in the documentation.

Regulated buyers usually run on-premises or in private cloud so the data plane stays inside their boundary. SmartFlow supports all three and can route to a permitted cloud provider when policy allows.

APERION gives each agent a cryptographic identity and maintains a registry of agents, so every action can be tied to a specific principal and to the human who authorized it. This is the basis for identity-bound audit. See the Trust Fabric.

Every AI action is recorded and anchored to a verified identity, so an auditor can trace what an agent did back to the human on whose behalf it acted. The records are tamper-evident. See Use Cases.

Yes. SmartFlow inspects and enforces policy on Model Context Protocol tool calls, not just prompts and responses. Tool calls are where agents act on systems, so they are governed in the same path. The open-source APERION Shield focuses on MCP.

Agent-to-agent messages pass through the same runtime plane and are subject to the same inspection, policy, and evidence. As agents call other agents, the chain stays accountable.

For higher-risk actions, SmartFlow can require a real-time identity check before the action proceeds, a step-up tied to APERION Identity Proofing (NIST IAL2/AAL2). It puts a verified human back in the loop at the moment of risk.

APERION Identity Proofing (NIST IAL2/AAL2) verifies who the human is before access is granted, which defeats synthetic-employee and impersonation fraud at onboarding. The agent then inherits that verified identity through the rest of the stack.

APERION binds the verified identity into your existing IAM (Okta, Microsoft Entra, Active Directory, Veza, SGNL) and binds every runtime action back to that identity for audit. It integrates with your access layer rather than replacing it.

SmartFlow is multi-provider. It routes across providers such as Anthropic, OpenAI, Google, AWS Bedrock, and Azure OpenAI, as well as internal and self-hosted models, through one control plane. See SmartFlow.

Yes. SmartFlow routes to internal and self-hosted models the same way it routes to cloud providers, with the same policy and evidence. On-premises models stay inside your boundary.

No. A runtime control plane exists to keep provider optionality. SmartFlow holds a single policy and evidence layer while you change providers, which preserves your negotiating position when pricing or terms change. Compare APERION and LiteLLM or APERION and Portkey.

SmartFlow supports multi-provider failover and routing, so traffic can shift to a permitted alternative rather than stopping. Routing rules are policy-driven.

Yes. Even with one provider, SmartFlow gives you inline policy enforcement, visibility, and identity-bound evidence, and it preserves the option to move later. The runtime question does not go away because you chose a model.

Yes. Maestro, the policy engine, can block, allow, route, redact, or require step-up based on user, data type, workload, model, and risk. See Maestro.

SmartFlow produces evidence mapped to frameworks including the EU AI Act, SR 11-7, FINRA, DORA, NIST AI RMF, OMB M-24-10, HIPAA, and SEC requirements. The Regulatory Examination Suite assembles examiner-ready packages. See examination readiness.

It is APERION's audit and evidence layer. It turns identity-bound runtime records into queryable, examiner-ready packages, so producing AI control evidence is a single call rather than a reconstruction project.

Regulators increasingly ask for evidence of control, not statements of intent. A policy document describes what should happen. APERION records what did happen, bound to a verified identity, which is what holds up in an exam.

SmartFlow enforces human-oversight and data controls at runtime and records the evidence the EU AI Act expects for higher-risk systems. See EU AI Act readiness.

Records are tamper-evident and bound to a verified identity, so the log is a third-party-grade account of what happened, not a narrative the agent wrote about itself.

SmartFlow detects sensitive data in prompts and can block or redact it before it reaches a model that is not permitted to receive it. This is enforced inline. See Industries.

Yes. Security documentation and attestations are available to prospects under review. Reach out through aperion.ai.

Retention is configurable to your regulatory and internal requirements, and because SmartFlow runs in your environment, the records stay under your control. See the docs.

Purview governs data inside the Microsoft stack. The runtime plane is the call path between any agent and any model, including on-premises and non-Microsoft. Adjacent layer, not the same one.

AI Control Tower governs the workflow agent: which agent runs and what it connects to. APERION governs what that agent sends to the model and what comes back. Different planes. APERION composes with it rather than competing.

Agent 365 orchestrates agents. APERION sits underneath, in the data path, inspecting and recording what those agents send to models. It runs on-premises and across providers, which the workflow plane does not.

Detect-and-respond tools watch for threats and alert after the fact. APERION enforces inline, so a blocked prompt never reaches the model, and it binds every action to identity for evidence. Enforcement and evidence, not only detection.

Yes. APERION integrates with Okta, Microsoft Entra, Active Directory, Veza, and SGNL at the access layer and binds those identities into runtime evidence. It does not replace your identity provider.

Yes. Your API gateway handles REST traffic. APERION handles the AI boundary: prompts, responses, and tool calls. They operate at different layers. See APERION and Cloudflare AI Gateway.

The difference is inline enforcement, on-premises deployment, agent identity, and identity-bound regulatory evidence in one runtime layer, rather than cloud-only observability. See the comparison pages, for example APERION and TrueFoundry or APERION and Credo AI.

It gives banks and insurers inline control over what agents send to models, provider optionality, and identity-bound evidence for SR 11-7, FINRA, and DORA. The data plane stays inside the institution. See Industries.

The same runtime control and evidence requirements as banking, applied to claims, underwriting, and customer-facing AI, with sensitive data kept inside the boundary.

SmartFlow detects PHI and blocks it from reaching a model that is not permitted to receive it, enforces information barriers at the model boundary, and produces provenance records aligned with 21 CFR Part 11 and validated-system expectations. See Industries.

In May 2026 the Five Eyes cyber agencies published joint guidance on agentic AI in critical infrastructure. The controls they describe map to a runtime architecture: cryptographic agent identity, a trusted registry, controls at every data boundary, human control points, and identity-bound accountability. APERION runs these on-premises and air-gapped. See Industries.

Yes. SmartFlow gives a single inline point to discover and govern fragmented AI use across business units. See governing shadow AI.

Yes. The gateway turns unbounded model usage into governed spend with attribution, budget controls, semantic caching, and provider optionality. See reducing AI spend.

Shield is APERION's open-source middleware for governing Model Context Protocol traffic. It inspects MCP tool calls and applies policy, and it is the open front door to SmartFlow's runtime governance. It is on GitHub.

Apache 2.0. You can run it, read the source, and build on it.

Shield ships with a rule set and a five-signal scoring model that aims to flag genuine risks while letting normal operations through. In testing against real command traffic it passed legitimate operations through at a high rate. See the repository for detail.

Shield governs MCP at the open-source layer. SmartFlow is the full runtime control plane: multi-provider gateway, policy engine, agent identity, and the audit and evidence layer, built for regulated on-premises deployment. Shield is the entry point; SmartFlow is the enterprise product.

Yes. Shield is standalone and open source. SmartFlow is for teams that need the full runtime plane and regulatory evidence.

Developer documentation is at docs.aperion.ai, and the source is on GitHub.

Most engagements begin with a scoped proof of concept in one team or business unit, then expand. Reach out through aperion.ai to scope one.

Yes. A scoped proof of concept runs in your environment so you can see inline enforcement and evidence on your own traffic before expanding.

SmartFlow is enterprise software priced per deployment. Pricing depends on scope and environment, so it is set with sales rather than published. Reach out through aperion.ai.

Usually the CISO and the Chief Risk Officer, with the CIO involved where workflow-agent platforms are in play. Each layer of the Trust Fabric maps to a distinct owner.

Because SmartFlow inserts inline without application rewrites, a scoped deployment is measured in weeks, not quarters. Specifics depend on environment and integrations.

Start with the documentation and the open-source Shield repository. For runtime-governance analysis and incident coverage, see the WOPR Report and the blog.